Data Security Incident & Breach Reporting Policy

This policy sets out procedures for SurgicalPerformance in the event that we experience a data breach (or suspect that a data breach has occurred). A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse.

SurgicalPerformance aims to comply with both Australian and American laws along with any appropriate international standards when it comes to security, privacy and data management. This includes the Australian Privacy Act 1988, the Health Insurance Portability and Accountability Act (HIPAA) and the the HITECH Act (Health Information Technology for Economic and Clinical Health Act) require rigorous processes for the proper handling of any security incident involving Protected Health Information (PHI) and timely reporting of any breach of unsecured PHI.

Reporting

If a user suspect there has been a data breach, the user must promptly report it to SurgicalPerformance via email to: [email protected]

Users should report the time and date the suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.

Types of breaches that should be reported:

Any event in which access to data might have been gained by an unauthorised person

Any event in which a device containing (or may be containing) data has (or might have been) lost, stolen or infected with malicious software (viruses, trojans, etc.)

Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with an unauthorised person (responding to phishing emails, someone shoulder surfing and writing down the password, etc.)

Any attempt to physically enter or break into a secure area where data is or might be stored

Any other event in which data has been or might have been lost or stolen

Any other event in which data has been or might have been improperly used (e.g. used without the individual’s written authorisation if authorisation is required)

Response

On receiving a report of a data breach, SurgicalPerformance will immediately notify the Security Official and Development Team to review and form a Response Team.

The Response Team will determine if a data breach has occurred and undertake any immediate actions to contain the data breach if necessary.

There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.

There are four key steps to consider when responding to a breach or suspected breach.

1.Contain the breach and do a preliminary assessment

2.Evaluate the risks associated with the breach

3.Notification

4.Prevent future breaches

The response team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession.

Whether or not there has been a data breach the Response Team will determine, what steps need to be taken to further investigate, remediate, and mitigate the incident and protect against future incidents.

If a breach of sensitive information, including but not limited to PHI, user, reporting or outcomes has occurred, SurgicalPerformance will give timely notices to affected individuals and government authorities, including the OAIC as appropriate and/or required. The notice will be given as soon as practicable.

Surgical Outcomes Quiz

Are you a Surgeon or a Hospital Administrator?*

Surgeon

Hospital Administrator

1. Are your surgical outcomes as good as those from other surgeons (return to the operating theatre, readmission, blood loss and transfusion, etc.)?*

Yes

No

I don't know

SurgicalPerformance allows you to track your own surgical outcomes and to compare your outcomes with surgeons in your institution, your country and internationally.

2. Would you like to track your outcomes to know that you are within safe boundaries?*

Yes

No

SurgicalPerformance will give you access to comparative data as well as accurate and meaningful data on your surgical outcomes plotted over time.

3. Would you know first (before anyone else knows) if your outcomes were declining gradually?*

Yes

No

SurgicalPerformance offers real-time CUSUM plots on meaningful surgical outcomes that allow you to visualize and observe outcome incidences on a time line.

4. Do complications have a profound impact on your professional and personal life?*

Yes

No

SurgicalPerformance allows you to measure your outcomes specifically for the type of surgical procedure. Outcomes include your complication rates and enables a rational approach rather than emotionally overwhelming responses.

5. Do you feel the need of robust and relevant data in case of a legal challenge?*

Yes

No

SurgicalPerformance is your personal, confidential database on your procedures and outcomes. Results on how many procedures you have done and their outcomes can be obtained by a few mouse clicks.

1. Are your department’s surgical outcomes as good as the ones from other departments?*

Yes

No

I don't know

SurgicalPerformance allows you to track your institution’s outcomes and compare them with institutions beyond geographical and organizational boundaries.

2. What are you currently benchmarking against?*

Other departments in my organisation

I don't benchmark

SurgicalPerformance allows you to benchmark against other institutions beyond geographical and organizational boundaries. It will allow you to explore where you rank in the quality of the service you currently provide and you will be able to track your outcomes on a time line.

3. How clinically meaningful are your data?*

We use administration data entered by coders

I'm not sure

SurgicalPerformance is developed by surgeons for surgeons. We collect clinically meaningful data (e.g., return to the operating theatre, readmission, blood loss and transfusion, etc.) that inform our users about real clinical outcomes. These outcomes are often not codable and outside the scope of routine administration data coded to ICD.

4. Do you include your surgeons as stakeholders in QA activities?*

Yes

No

SurgicalPerformance allows you to have an open and constructive conversation about surgical outcomes measurement in your institution. While honouring the individual surgeon’s confidentiality, SurgicalPerformance allows you to collaborate with your medical specialists to the benefit of patients, specialists and the institution.

5. What do you think is your institution’s reputation?*

I'm sure it’s great

How would you know if the quality of your service to patients would start declining gradually? SurgicalPerformance will contribute to your institution’s reputation because you will be able to demonstrate that you care about providing top quality service.